Windows AD and MIT KDC Cross-Realm Trust

Douglas E. Engert deengert at anl.gov
Mon Feb 16 19:56:52 EST 2004



Digant Kasundra wrote:
> 
> > That is the only way to do it.  There is no term called
> > "pass-through" authentication within Kerberos.  The
> > authentication between the MIT and Microsoft realms are based
> > on cross-realm trusts.  This is exactly what is described on the page:
> 
> I guess I am using the phrase "pass-through" authentication as it is
> referenced below:
> 
> http://acd.ucar.edu/~fredrick/linux/kerberos/testbed.html
> 
> (e.g. a workstation on a domain authning against Krb and authzing against AD
> as opposed to a standalone workstation doing the same thing).
> 
> Sorry for my misunderstandings.
> 
> That being the case, when a user tries to login using bwinkle at kerb.uta.edu,
> I do see a request hit the KDC but the user still does not get logged in.
> According to the logs, I see an AS_REQ "bwinkle at KERB.UTA.EDU for
> krbtgt/KERB.UTA.EDU at KERB.UTA.EDU".  

Yes that is the first step. 

This would then be used by the workstation to get a ticket for the workstation 
if the workstation is in the same realm as the user. If not this would be used 
to get a krbtgt. 

> In my principles on the KDC machine
> (montyburns), I have bwinkle at KERB.UTA.EDU, krbtgt/KERB.UTA.EDU at KERB.UTA.EDU,
> krbtgt/KERB.UTA.EDU at UTA.EDU and krbtgt/UTA.EDU at KERB.UTA.EDU (as well as the
> kadmin ones that are created at install).
> 
> What else should I look at?

Is the workstation part of a domain? 

What does ksetup on the workstion show? 

> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list